Documentation ¶
Index ¶
- Constants
- func CreateGrpcMiddlewareAuthFunction(authService AuthService) func(ctx context.Context) (context.Context, error)
- func CreateHttpMiddlewareAuthFunction(authService AuthService) func(w http.ResponseWriter, r *http.Request) (context.Context, error)
- func WithPrincipal(ctx context.Context, principal Principal) context.Context
- type ActionAuthorizer
- type AnonymousAuthService
- type AuthService
- type Authorizer
- type BasicAuthService
- type CacheData
- type KubernetesNativeAuthService
- type KubernetesTokenReviewer
- type MultiAuthService
- type OpenIdAuthService
- type Owned
- type PermissionChecker
- type PermissionClaimQueries
- type Principal
- type PrincipalPermissionChecker
- type StaticPrincipal
- func (p *StaticPrincipal) GetAuthMethod() string
- func (p *StaticPrincipal) GetGroupNames() []string
- func (p *StaticPrincipal) GetName() string
- func (p *StaticPrincipal) HasClaim(claim string) bool
- func (p *StaticPrincipal) HasScope(scope string) bool
- func (p *StaticPrincipal) IsInGroup(group string) bool
- type TokenReviewer
Constants ¶
const AnonymousAuthServiceName = "Anonymous"
const BasicAuthServiceName = "Basic"
const EveryoneGroup = "everyone"
All users are implicitly part of this group.
const KubernetesAuthServiceName = "KubernetesNative"
const OidcAuthServiceName = "OIDC"
Variables ¶
This section is empty.
Functions ¶
func CreateGrpcMiddlewareAuthFunction ¶ added in v0.9.4
func CreateGrpcMiddlewareAuthFunction(authService AuthService) func(ctx context.Context) (context.Context, error)
CreateGrpcMiddlewareAuthFunction for use with GRPC. That function returns success if any service successfully authenticates the user, and an error if all services fail to authenticate.
If authentication succeeds, the username returned by the authentication service is added to the request context for logging purposes.
func CreateHttpMiddlewareAuthFunction ¶ added in v0.9.4
func CreateHttpMiddlewareAuthFunction(authService AuthService) func(w http.ResponseWriter, r *http.Request) (context.Context, error)
CreateHttpMiddlewareAuthFunction for use with GRPC. That function returns success if any service successfully authenticates the user, and an error if all services fail to authenticate.
If authentication succeeds, the username returned by the authentication service is added to the request context for logging purposes.
Types ¶
type ActionAuthorizer ¶ added in v0.4.52
type ActionAuthorizer interface { AuthorizeAction(ctx *armadacontext.Context, perm permission.Permission) error AuthorizeQueueAction(ctx *armadacontext.Context, queue queue.Queue, anyPerm permission.Permission, perm queue.PermissionVerb) error }
type AnonymousAuthService ¶ added in v0.4.52
type AnonymousAuthService struct{}
func (AnonymousAuthService) Authenticate ¶ added in v0.4.52
type AuthService ¶ added in v0.4.52
type AuthService interface {
Authenticate(ctx context.Context, authHeader string) (Principal, error)
}
AuthService represents a method of authentication for the HTTP or gRPC API. Each implementation represents a particular method, e.g., username/password or OpenID. The HTTP/gRPC server may be started with multiple AuthService to give several options for authentication.
func ConfigureAuth ¶
func ConfigureAuth(config configuration.AuthConfig) ([]AuthService, error)
type Authorizer ¶ added in v0.4.52
type Authorizer struct {
// contains filtered or unexported fields
}
func NewAuthorizer ¶ added in v0.4.52
func NewAuthorizer(permissionChecker PermissionChecker) *Authorizer
func (*Authorizer) AuthorizeAction ¶ added in v0.4.52
func (b *Authorizer) AuthorizeAction(ctx *armadacontext.Context, perm permission.Permission) error
func (*Authorizer) AuthorizeQueueAction ¶ added in v0.4.52
func (b *Authorizer) AuthorizeQueueAction( ctx *armadacontext.Context, queue queue.Queue, anyPerm permission.Permission, perm queue.PermissionVerb, ) error
type BasicAuthService ¶ added in v0.4.52
type BasicAuthService struct {
// contains filtered or unexported fields
}
func NewBasicAuthService ¶ added in v0.4.52
func NewBasicAuthService(users map[string]configuration.UserInfo) *BasicAuthService
func (*BasicAuthService) Authenticate ¶ added in v0.4.52
type KubernetesNativeAuthService ¶ added in v0.4.52
type KubernetesNativeAuthService struct { KidMappingFileLocation string TokenCache *cache.Cache InvalidTokenExpiry int64 TokenReviewer TokenReviewer Clock clock.Clock }
func NewKubernetesNativeAuthService ¶ added in v0.4.52
func NewKubernetesNativeAuthService(config configuration.KubernetesAuthConfig) KubernetesNativeAuthService
func (*KubernetesNativeAuthService) Authenticate ¶ added in v0.4.52
type KubernetesTokenReviewer ¶ added in v0.4.52
type KubernetesTokenReviewer struct{}
func (*KubernetesTokenReviewer) ReviewToken ¶ added in v0.4.52
func (reviewer *KubernetesTokenReviewer) ReviewToken(ctx context.Context, clusterUrl string, token string, ca []byte) (*authv1.TokenReview, error)
type MultiAuthService ¶ added in v0.9.4
type MultiAuthService struct {
// contains filtered or unexported fields
}
func NewMultiAuthService ¶ added in v0.9.4
func NewMultiAuthService(authServices []AuthService) *MultiAuthService
func (*MultiAuthService) Authenticate ¶ added in v0.9.4
func (multi *MultiAuthService) Authenticate(ctx context.Context, authHeader string) (Principal, error)
Authenticate - The services in authServices are tried one at a time in sequence. Successful authentication short-circuits the process.
type OpenIdAuthService ¶ added in v0.4.52
type OpenIdAuthService struct {
// contains filtered or unexported fields
}
func NewOpenIdAuthService ¶ added in v0.4.52
func NewOpenIdAuthService(verifier *oidc.IDTokenVerifier, groupsClaim string) *OpenIdAuthService
func NewOpenIdAuthServiceForProvider ¶ added in v0.4.52
func NewOpenIdAuthServiceForProvider(ctx context.Context, config *configuration.OpenIdAuthenticationConfig) (*OpenIdAuthService, error)
func (*OpenIdAuthService) Authenticate ¶ added in v0.4.52
type PermissionChecker ¶ added in v0.4.52
type PermissionChecker interface { UserHasPermission(ctx context.Context, perm permission.Permission) bool UserOwns(ctx context.Context, obj Owned) (owned bool, ownershipGroups []string) }
type PermissionClaimQueries ¶ added in v0.4.52
type PermissionClaimQueries map[permission.Permission]string
type Principal ¶ added in v0.4.52
type Principal interface { GetName() string GetAuthMethod() string GetGroupNames() []string IsInGroup(group string) bool HasScope(scope string) bool HasClaim(claim string) bool }
Principal represents an entity that can be authenticated (e.g., a user). Each principal has a name associated with it and may be part of one or more groups. Scopes and claims are as defined in OpenId.
func GetPrincipal ¶ added in v0.4.52
GetPrincipal returns the principal (e.g., a user) contained in a context. The principal is assumed to be stored as a ctx.Value. If no principal can be found, a principal representing an anonymous (unauthenticated) user is returned.
type PrincipalPermissionChecker ¶ added in v0.4.52
type PrincipalPermissionChecker struct {
// contains filtered or unexported fields
}
func NewPrincipalPermissionChecker ¶ added in v0.4.52
func NewPrincipalPermissionChecker( permissionGroupMap map[permission.Permission][]string, permissionScopeMap map[permission.Permission][]string, permissionClaimMap map[permission.Permission][]string, ) *PrincipalPermissionChecker
func (*PrincipalPermissionChecker) UserHasPermission ¶ added in v0.4.52
func (checker *PrincipalPermissionChecker) UserHasPermission(ctx context.Context, perm permission.Permission) bool
UserHasPermission returns true if the principal contained in the context has the given permission, which is determined by checking if any of the groups, scopes, or claims associated with the principal has that permission.
func (*PrincipalPermissionChecker) UserOwns ¶ added in v0.4.52
func (checker *PrincipalPermissionChecker) UserOwns(ctx context.Context, obj Owned) (owned bool, ownershipGroups []string)
UserOwns check if obj is owned by the principal contained in the context, or by a group of which the principal is a member. If obj is owned by a group of which the principal is a member, this method also returns the list of groups that own the object and that the principal is a member of. If obj is owned by the principal in the context, no groups are returned.
TODO Should we always return the groups (even if the principal owns obj directly)?
type StaticPrincipal ¶ added in v0.4.52
type StaticPrincipal struct {
// contains filtered or unexported fields
}
Default implementation of the Principal interface. Here, static refers to the fact that the principal doesn't change once it has been created.
func NewStaticPrincipal ¶ added in v0.4.52
func NewStaticPrincipal(name string, authMethod string, groups []string) *StaticPrincipal
func NewStaticPrincipalWithScopesAndClaims ¶ added in v0.4.52
func (*StaticPrincipal) GetAuthMethod ¶ added in v0.9.4
func (p *StaticPrincipal) GetAuthMethod() string
func (*StaticPrincipal) GetGroupNames ¶ added in v0.4.52
func (p *StaticPrincipal) GetGroupNames() []string
func (*StaticPrincipal) GetName ¶ added in v0.4.52
func (p *StaticPrincipal) GetName() string
func (*StaticPrincipal) HasClaim ¶ added in v0.4.52
func (p *StaticPrincipal) HasClaim(claim string) bool
func (*StaticPrincipal) HasScope ¶ added in v0.4.52
func (p *StaticPrincipal) HasScope(scope string) bool
func (*StaticPrincipal) IsInGroup ¶ added in v0.4.52
func (p *StaticPrincipal) IsInGroup(group string) bool